Can't access backup master from IKEv2 VPN client
Dear community,
I have two M370 in a cluster and IKEv2 mobile VPN for remote clients.
If connected via VPN, I am unable to Ping the management IP of the Firebox which is backup master and also I cannot open the management webpage in Port 8080 in a browser. For the master Firebox this is both working. If connected to the internal LAN, I am able to access both boxes. There are no firewall rules blocking outgoing traffic (Default policy Allow IKEv2-Users).
I think it might be a routing problem, but I am somewhat stuck. Here some details:
192.168.160.1/16 => Trusted-LAN IP assigned to both Fireboxes in the cluster
192.168.160.3/16 => Management IP Firebox 1
192.168.160.4/16 => Management IP Firebox 2
192.168.169.0/24 => Address pool for IKEv2 users
Simon
Best Answers
-
I am talking about the IPs in the management network.
You are right, there aren't many reasons to access the backup master. I just think that before upgrading to 12.5.3 this scenario was working and I am wondering why it is not working anymore.
regards,
Simon0 -
james.carson
Moderator, WatchGuard Representative
Hi @Simon_B
Without being able to access the devices and review logs, I can't really discern why it might be not working. Based on how the VPN and clusters work, I would not expect them to be accessible via that vector.If you wanted to look into this, I'd suggest opening a support case so that team can look into the issue in-depth with you.
-James Carson
WatchGuard Customer Support5
Answers
Hi @Simon_B
Except in the management network (as defined in Firecluster -> Configuration) only the master will be accessible, as the two devices share an IP address on other networks.
In most scenarios, You'll only need to access the master. Any commands for the backup master can be relayed from it, like upgrade and fail-over commands. What specifically do you need to connect to the backup master for?
-James Carson
WatchGuard Customer Support